Chapter
Contractor Responsibilities
ATTACHMENT I: SUMMARY OF DATA BREACHES AT FIVE AGENCIES
Department of Defense (Navy)
Health and Human Services (HHS)
APPENDIX II: COMMENTS FROM THE OFFICE OF MANAGEMENT AND BUDGET
APPENDIX III: COMMENTS FROM THE DEPARTMENT OF VETERANS AFFAIRS
Chapter 2 USE OF DATA FROM INFORMATION RESELLERS∗
Federal Laws and Guidance Govern Use of Personal Information in Federal Agencies
The Fair Information Practices Are Widely Agreed to Be Key Principles for Privacy Protection
AGENCIES USED GOVERNMENTWIDE CONTRACTS TO OBTAIN PERSONAL INFORMATION FROM INFORMATION RESELLERS FOR A VARIETY OF PURPOSES
DOJ and DHS Used Information Resellers Primarily for Law Enforcement and Counterterrorism
SSA and State Used Information Resellers Primarily for Fraud Prevention and Detection
AGENCIES LACKED POLICIES ON USE OF RESELLER DATA, AND PRACTICES DO NOT CONSISTENTLY REFLECT THE FAIR INFORMATION PRACTICES
Limitations in the Applicability of the Privacy Act and Ambiguities in OMB Guidance Contributed to an Uneven Adherence to the Purpose Specification, Openness, and Individual Participation Principles
Privacy Impact Assessments Could Address Openness and Purpose Specification Principles but Often Were Not Conducted
Agencies Often Did Not Have Practices in Place to Ensure Accountability for Proper Handling of Information Reseller Data
Not All Agencies Have Taken Steps to Address our Recommendations
Privacy Provisions of the Proposed Federal Agency Data Protection Act are Consistent with Our Recommendations
Chapter 3 ENHANCING PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION∗
Federal Laws and Guidance Govern Use of Personal Information in Federal Agencies
OMB Has Primary Responsibility for Oversight of the Privacy, E-Government, and Paperwork Reduction Acts
Previous Studies Have Raised Concerns about the Sufficiency of Privacy Laws
Additional Laws Provide Protections for Federal Agency Use of Personal Information
THE PRIVACY ACT AND E-GOVERNMENT ACT DO NOT ALWAYS PROVIDE PROTECTIONS FOR FEDERAL USES OF PERSONAL INFORMATION
Key Terms in the Privacy Act May Be Defined Too Narrowly
The E-Government Act Applies More Broadly Than the Privacy Act but Lacks Explicit Constraints on Agency Actions
Alternatives for Broadening the Coverage of Privacy Laws
LAWS AND GUIDANCE MAY NOT EFFECTIVELY LIMIT AGENCY COLLECTION AND USE OF PERSONAL INFORMATION TO SPECIFIC PURPOSES
Fair Information Practices Call for Purpose Specification and Limitations on Collection and Use of Personal Information
The Privacy Act Does Not Ensure That Purposes Are Always Stated and Are Specific
Laws and Guidance May Not Effectively Limit Collection of Personal Information
Mechanisms to Limit Use of Personally Identifiable Information to a Specified Purpose May Be Ineffective
ALTERNATIVES FOR BETTER ENSURING THAT PURPOSE IS SPECIFIED AND THAT COLLECTION AND USE OF PERSONAL INFORMATION ARE LIMITED
THE PRIVACY ACT MAY NOT INCLUDE EFFECTIVE MECHANISMS FOR INFORMING THE PUBLIC
Alternatives for Improving Notice to the Public
MATTER FOR CONGRESSIONAL CONSIDERATION
AGENCY COMMENTS AND OUR EVALUATION
LIST OF CONGRESSIONAL REQUESTERS
APPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY
APPENDIX II: NATIONAL ACADEMY OF SCIENCES EXPERT PANEL PARTICIPANTS
APPENDIX III: PRIVACY ACT EXEMPTIONS AND EXCEPTIONS TO THE PROHIBITION AGAINST DISCLOSURE WITHOUT CONSENT OF THE INDIVIDUAL
The Privacy Act Provides Exemptions for Certain Sensitive Activities
Exceptions to the Prohibition against Disclosure without Prior Written Consent of the Individual
APPENDIX IV: OMB PRIVACY GUIDANCE
APPENDIX V: COMMENTS FROM THE OFFICE OF MANAGEMENT AND BUDGET∗
Chapter 4 STRENGTHENING PROTECTION OF PERSONALLY IDENTIFIABLE INFORMATION∗
Federal Laws and Guidance Govern Use of Personal Information in Federal Agencies
OMB Has Primary Responsibility for Oversight of the Privacy, E-Government, and Paperwork Reduction Acts
Prior GAO Reports Have Identified Privacy Challenges at Federal Agencies
KEY TERMS IN THE PRIVACY ACT MAY BE DEFINED TOO NARROWLY
THE PRIVACY ACT DOES N OT ENSURE THAT THE USE OF PERSONAL INFORMATION IS LIMITED TO CLEARLY STATED PURPOSES
THE PRIVACY ACT MAY NOT INCLUDE EFFECTIVE MECHANISMS FOR INFORMING THE PUBLIC
AMENDING PRIVACY LAWS COULD ADDRESS GAPS AND SHORTCOMINGS IN PRIVACY PROTECTIONS
Chapter 5 OVERSIGHT OF PRIVACY ACTIVITIES∗
LAWS AND GUIDANCE SET VARYING REQUIREMENTS FOR SENIOR PRIVACY OFFICIALS
Laws and Guidance Address the Roles and Responsibilities of Privacy Officials
AGENCIES HAVE VARYING PRIVACY MANAGEMENT STRUCTURES, AND SENIOR AGENCY OFFICIALS FOR PRIVACY DO NOT CONSISTENTLY HAVE OVERSIGHT OF ALL KEY FUNCTIONS
Agencies Varied in Their Designation of Senior Privacy Officials and in Their Organizational Placement of Key Privacy Functions
g Requirements in Laws and Related Guidance Have Led to Fragmented Assignment of Privacy Functions
RECOMMENDATION FOR EXECUTIVE ACTION
AGENCY COMMENTS AND OUR EVALUATION
APPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY
APPENDIX II: COMMENTS FROM THE DEPARTMENT OF COMMERCE
APPENDIX III: COMMENTS FROM THE DEPARTMENT OF DEFENSE
APPENDIX IV: COMMENTS FROM THE DEPARTMENT OF JUSTICE
APPENDIX V: COMMENTS FROM THE DEPARTMENT OF LABOR
APPENDIX VI: COMMENTS FROM THE DEPARTMENT OF THE TREASURY
APPENDIX VII: RECENT LAWS ESTABLISHING PRIVACY PROTECTION RESPONSIBILITIES AT FEDERAL AGENCIES
Homeland Security Act of 2002
Intelligence Reform and Terrorism Prevention Act of 2004
Violence Against Women and Department of Justice Reauthorization Act of 2005
Transportation, Treasury, Independent Agencies and General Government Appropriations Act of 2005
Implementing Recommendations of the 9/11 Commission Act of 2007